From: David S. Miller <davem@redhat.com> Subject: [RHEL5 2/2]: IPV6 security holes in ipv6_sockglue.c Date: Tue, 13 Mar 2007 17:30:50 -0400 (EDT) Bugzilla: 231517 Message-Id: <20070313.173050.75871258.davem@redhat.com> Changelog: [net] IPV6 security holes in ipv6_sockglue.c - 2 Via the kernel.org bugzilla entry, Olaf Kirch wrote a fix for another 'opt' blind dereference in this code. This OOPS is triggerable via a 4 line test program. Please ACK. commit dfee0a725bb027b749ffdd318eb48b91d564b266 [IPV6]: Fix for ipv6_setsockopt NULL dereference I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155 Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -408,7 +408,7 @@ } /* routing header option needs extra check */ - if (optname == IPV6_RTHDR && opt->srcrt) { + if (optname == IPV6_RTHDR && opt && opt->srcrt) { struct ipv6_rt_hdr *rthdr = opt->srcrt; if (rthdr->type) goto sticky_done;